Sharing of EHR Passwords is Common: Report

According to the released results of a recent survey, the practice of sharing EHR passwords is commonplace, particularly among interns, medical students, and nurses.

The research was carried out by Ayal Hassidim, MD of the Hadassah-Hebrew University Medical Center, Jerusalem, and also involved researchers from Duke University, Harvard Medical School, Ben Gurion University of the Negev, and Hadassah-Hebrew University Medical Center.

The study was completed using 299 medical students, nurses, medical residents, and interns and the results of the project were recently published in Healthcare Informatics Research.

The details stored in EHRs is sensitive and must be securely protected. Regulations such as HIPAA control access to that data. All people that require access to the information in EHR systems must be issued with a distinct user ID and password.

Any efforts made to access protected health information must be logged to allow healthcare groups to monitor for unauthorized access. If login credentials are shared with other people, it is no longer possible to accurately record which people have accessed health information – a breach of HIPAA Rules. The researchers note that sharing EHR passwords is one of the most common HIPAA violations and causes leading to healthcare data breaches.

The survey implies that sharing EHR passwords is a regular occurence, even though the practice is not allowed as per hospital policies and HIPAA Rules. 73% of all respondents admitted to using the password of another person to access EHR records at least once. 57% of respondents estimated the number of occasions they had accessed EHR data – the average number of occasions was 4.75.

All medical students questioned said they had accessed EHRs using the log in details of another person, and 57% of nurses admitted to using another individual’s credentials to access EHRs. The reasons for doing so were different across respondents.

Common reasons for sharing EHR passwords were permissions on the user’s account did not permit them to complete their work responsibilities, technical problems prevented them from using their own credentials, and personal logins had not been issued, even though EHR access was required to finish work duties.

The researchers suggest the provision of timely and efficient treatment is often at odds with security protections. The researchers stated, “In an attempt to achieve better security, usability is hindered to the level the users feel that the right thing to do is to violate the security regulations altogether.”

The researchers made two approvals: “Usability should be added as the fourth principal in planning EMRs and other PHI-containing medical records. Second, an additional option should be included for each EMR role that will grant it maximal privileges for one action. When this option is invoked, the senior physician/the PHI security officer would be alerted. This would permit junior staff to perform urgent, lifesaving, decisions, without outwitting the EMR, and under formal retrospective supervision by the senior members in charge.”